MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fad40e1841789cfbef3c9f09b4e557b928597506cd8b93d8eae51cef2ba3cf3f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fad40e1841789cfbef3c9f09b4e557b928597506cd8b93d8eae51cef2ba3cf3f
SHA3-384 hash: e2f040a311dd3879941c5bcaabdcc84535d34342afc2d8dce9226540a869d354a626df29d9e75be8cd10423b199e313b
SHA1 hash: 9ef0395aeeba1387a5c37efbcd96cef768cff86b
MD5 hash: a8a8905ab14f5e24f28f9a0598a6c381
humanhash: iowa-wyoming-avocado-mars
File name:a8a8905ab14f5e24f28f9a0598a6c381
Download: download sample
File size:711'168 bytes
First seen:2021-07-23 12:28:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 58af898a8945f807ca70ebf9933b9268 (4 x RemcosRAT, 1 x BitRAT)
ssdeep 12288:RcOqhpe5sWWUgjIkdcCMTOArWe/C36lAnm4vNOpRKa:R7q+sWiItCoCdv
Threatray 462 similar samples on MalwareBazaar
TLSH T120E44B51E062DCB7C03215781D1A66A8A9A0FE703634AC4526F1F93CFEBF2C53D1D9A6
dhash icon 72c28292b2a888e0 (7 x RemcosRAT, 1 x BitRAT, 1 x AveMariaRAT)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2eaf147e46a106eaf7a6c8e618060e2f.exe
Verdict:
Malicious activity
Analysis date:
2021-07-23 11:41:53 UTC
Tags:
loader trojan stealer raccoon rat azorult vidar
Link:
https://app.any.run/tasks/59091886-85d6-497c-a82c-deb8e6600af2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/173633/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.19331.4272.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/89869091-c677-4060-8b06-1c47caefc0f6
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/820758
Signature
Contains functionality to compare user and computer (likely to detect sandboxes)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 453169 Sample: aIpWUUvz4X Startdate: 23/07/2021 Architecture: WINDOWS Score: 100 62 Multi AV Scanner detection for submitted file 2->62 64 Yara detected Clipboard Hijacker 2->64 66 Machine Learning detection for sample 2->66 68 Sigma detected: Execution from Suspicious Folder 2->68 8 aIpWUUvz4X.exe 1 24 2->8         started        13 sqlcmd.exe 13 2->13         started        15 Debnemn.exe 13 2->15         started        17 2 other processes 2->17 process3 dnsIp4 58 cdn.discordapp.com 162.159.135.233, 443, 49717, 49718 CLOUDFLARENETUS United States 8->58 56 C:\Users\Public\Libraries\...\Debnemn.exe, PE32 8->56 dropped 70 Detected unpacking (changes PE section rights) 8->70 72 Detected unpacking (overwrites its own PE header) 8->72 74 Uses schtasks.exe or at.exe to add and modify task schedules 8->74 76 Contains functionality to compare user and computer (likely to detect sandboxes) 8->76 19 aIpWUUvz4X.exe 2 8->19         started        22 cmd.exe 1 8->22         started        24 cmd.exe 1 8->24         started        60 162.159.133.233, 443, 49724 CLOUDFLARENETUS United States 13->60 78 Multi AV Scanner detection for dropped file 13->78 80 Machine Learning detection for dropped file 13->80 82 Injects a PE file into a foreign processes 13->82 26 sqlcmd.exe 13->26         started        28 Debnemn.exe 15->28         started        30 Debnemn.exe 17->30         started        file5 signatures6 process7 file8 52 C:\Users\user\AppData\Roaming\...\sqlcmd.exe, PE32 19->52 dropped 54 C:\Users\user\...\sqlcmd.exe:Zone.Identifier, ASCII 19->54 dropped 32 schtasks.exe 1 19->32         started        34 reg.exe 1 22->34         started        36 conhost.exe 22->36         started        38 cmd.exe 1 24->38         started        40 conhost.exe 24->40         started        42 schtasks.exe 1 26->42         started        process9 process10 44 conhost.exe 32->44         started        46 conhost.exe 34->46         started        48 conhost.exe 38->48         started        50 conhost.exe 42->50         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fad40e1841789cfbef3c9f09b4e557b928597506cd8b93d8eae51cef2ba3cf3f/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-07-23 12:04:36 UTC
AV detection:
18 of 27 (66.67%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1d2ad0e9b26a1e83ea43e5c17658df821c78bf4044aa0c6d71d01452584a67b4
20b8d427a1603e1262b0c7d9a5119d0ea775cb69c690098ecd12a1037a443892
299c548532e82b62f4b52ad642613b9cecc89c9be39a1da630afbc06cb7cce85
46a376d25369d059b1c149d8fb4821aa3ddb504bb381a02f3d5e4e019a41ed4d
4757d64431cbf911d9a6cc5b1cd96ee7f733dd0eb05c41f1fa100ba3d354d4a5
82e96593173c1407d138cca5418a00b0f5cd9960b32d8f03052eca9b33e68b44
a846b19ee029394012dc19a190096807497edb4ea4096c30550dbc3cbaa5435f
d8f95b86b00cd4ba851931bc543ea4c20a8629335ea04d85d2dbd4829d53a2d4
e7aa9ed4edc37d0b7515085211d1107ff1a54f2ca2651bd6698ae345663b93c6
+ 452 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210723-jk6gv8egsn/
Behaviour
Creates scheduled task(s)
Modifies registry key
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Unpacked files
SH256 hash:
d174ea83359cec0b0a35da88fa2a1791a1308e35a5e36e83f51a2723e48582a6
MD5 hash:
5c63077607b089e7045eb5e93d8324d9
SHA1 hash:
9ca12c4d6e4a97269d26fe6755aae441276bff42
Link:
https://www.unpac.me/results/e69846cb-c69c-455b-b65a-ec110755975c/
SH256 hash:
fad40e1841789cfbef3c9f09b4e557b928597506cd8b93d8eae51cef2ba3cf3f
MD5 hash:
a8a8905ab14f5e24f28f9a0598a6c381
SHA1 hash:
9ef0395aeeba1387a5c37efbcd96cef768cff86b
Link:
https://www.unpac.me/results/e69846cb-c69c-455b-b65a-ec110755975c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fad40e1841789cfbef3c9f09b4e557b928597506cd8b93d8eae51cef2ba3cf3f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe fad40e1841789cfbef3c9f09b4e557b928597506cd8b93d8eae51cef2ba3cf3f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1323338/
  
URLhaus
https://urlhaus.abuse.ch/url/1475907/
Cape
Cape
https://www.capesandbox.com/analysis/173633/

Comments


Avatar
zbet commented on 2021-07-23 12:28:26 UTC

url : hxxp://danielmi.ac.ug/cc.exe